What You Need To Know About the HIPAA Security Rule

In this day and age of rampant cybercrime, protecting a patient’s electronic health information is of the utmost importance. But, how do you know if the protections are adequate? Well, that’s where the HIPAA Security Rule comes in.

What is the difference between the privacy and security of health information?

With respect to health information, privacy is defined as the right of an individual to keep his/her individual health information from being disclosed. This is typically achieved through policy and procedure. Privacy encompasses controlling who is authorized to access patient information; and under what conditions patient information may be accessed, used and/or disclosed to a third party. The HIPAA privacy Rule applies to all protected health information.

Security is defined as the mechanism in place to protect the privacy of health information. This includes the ability to control access to patient information, as well as to safeguard patient information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls within a covered entity. Since so much PHI is now stored and/or transmitted by computer systems, the HIPAA Security Rule was created to specifically address electronic protected health information

Now, the HIPAA Security Rule isn’t extensive regarding the regulatory text. However, it is quite technical. It is the codification of specific information and technological best practices and standards.

The HIPAA Security Rule mainly requires the implementation of three key safeguards, that is, technical, physical, and administrative. Other than that, it demands certain organizational requirements and the documentation of processes, as it is with the HIPAA Privacy Rule.

Developing the necessary documentation for the HIPAA Security Rule can be complex, compared to the requirements of the HIPAA Privacy Rule. Healthcare providers, especially smaller ones, need to be given access to HIT (Health Information Technology) resources for this purpose.

Having said that, the HIPAA Security Rule is designed to be flexible, which means covering all the required aspects of security shouldn’t be tough. There is no need for leveraging specific procedures or technologies. Organizations are allowed to determine the kind of resources necessary for ensuring compliance.

The Security Rule applies to covered entities and their BAs

All covered healthcare entities and their respective BAs (Business Associates) are subject to the HIPAA Security Rule. So, if you’re a covered healthcare provider who makes use of a vendor that has access to ePHI, you need to enforce a BAA or Business Associate Agreement.

A BAA dictates how ePHI will be used, protected, and disclosed. In the case of a breach, both the BA and the covered healthcare provider will be liable to penalties.

There are three key areas where measures need to be taken

As established earlier, the HIPAA Security Rule requires providers to implement security measures that prevent the theft of ePHI. ePHI should only be accessible to authorized personnel, meaning improper access must be prevented.

The HIPAA Security Rule categorizes the necessary safeguards into three levels.

First, we have the ‘Physical Safeguards,’ where efforts must be made to protect the data on a physical level. This means providers need to implement robust security measures such as security systems, surveillance systems, window locks, door locks and so on. Physical access to computers and servers must be monitored, and unauthorized access must be prevented.

Policies that regulate the use of mobile devices inside the premises and hardware/software removal should be put in place.

Next, we have the Administrative Safeguards, which relate to the procedures and policies that a healthcare provider must put in place to prevent breaches. These safeguards must spell out rules for data maintenance, roles and responsibilities, documentation processes, and training requirements.

In short, Administrative Safeguards ensure that the Physical Safeguards are implemented appropriately.

Finally, we have the Technical Safeguards, which relate to the technological aspects of data protection and security. The goal here is to establish technical standards that are necessary to ensure the protection of ePHI, as well as its organization.

According to The Department of Health and Human, healthcare providers need to strike a balance between vulnerabilities to ePHI and identifiable risks, their own capabilities, the cost of protective measures, and the scale.

Always conduct a risk analysis

To ensure proper compliance with the HIPAA Security Rule, healthcare providers must carry out risk analysis. This entails an assessment of possible threats, vulnerabilities, and risks to the ePHI stored in the providers’ servers.

The chosen methodology or approach can vary. However, it must include scope analysis, methods used to collect data, identification of vulnerabilities or threats, the likelihood of a breach, the level of risk, and reviews/updates on a periodic basis.

You are required by law to comply with the HIPAA Security Rule

All healthcare providers must comply with the HIPAA Security Rule. This is required by Federal Law. Failure to comply can lead to severe penalties and fines. Civil penalties start at $25,000 and go up to $1.5 million per year.

Criminal penalties also exist for unauthorized use or access of ePHI, as well as the sale of ePHI. The penalties range from exorbitant fines to imprisonment. Fines can go up to $250,000, while prison sentences can go up to ten years.

Patients must be notified if a breach occurs

Healthcare providers are required to alert patients if and when a breach occurs. If the breach affects over 500 patients, the provider must notify the Secretary of the HHS and the media.

Protecting ePHI is a must and a never-ending process. However, it is the only way providers can ensure that their patients are protected, and they aren’t liable for damages.